Skip to content

Commit

Permalink
feat: implement Vault extension using GCP Secret Manager (#6) (#10)
Browse files Browse the repository at this point in the history 
* feat: implementation of Vault with GCP Secret Manager

#6

* style: build config cleanup

- Case harmonized to lowercase
- Libraries in version file sorted

* refactor: fix review comments for #6

- Used Stream instead of String path for GcpSecretManagerVault .createWithServiceAccountCredentials
- Switched to var
- Fixed log messages to start with capital
- Simplified reading of settings in GcpSecretManagerVaultExtension with ServiceExtensionContext.getSetting
- Moved private method at the end of the file
- Replaced assertTrue/False with assertThat(x).isTrue/isFalse
- Used static imports in tests
- Mocks reinstantiated at every test, not reset

* refactor: fixed new comments for #6

- Used context.getConfig().getString for getting mandatory settings
- Moved TestStatusCode class to private, at the end of the file
- Fixed imports (removed unused, resorted)

* refactor: typos and docs updated, member variables made final

* refactor: removed jimfs dependency

* chore: updated DEPENDENCIES, cleaned build dependencies

* refactor: removed synchronized blocks from Vault implementation

- as per review, EDC owns synchronization

* chore: DEPENDENCIES - new attempt

* chore: updated dependency-check.yml

* chore: DEPENDENCIES updated with content generated by new workflow
  • Loading branch information
@man8pr
man8pr authored Jul 15, 2023
1 parent 20ecf1d commit c4e9db1
Show file tree
Hide file tree
Showing 12 changed files with 840 additions and 73 deletions.
49 changes: 2 additions & 47 deletions .github/workflows/dependency-check.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,50 +9,5 @@ permissions:
contents: read

jobs:
Check-Allowed-Licenses:
runs-on: ubuntu-latest
continue-on-error: false
if: ${{ github.event_name == 'pull_request' }}
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
with:
fail-on-severity: critical
# Representation of this list: https://www.eclipse.org/legal/licenses.php#
# Expressed with the help of the following IDs: https://spdx.org/licenses/
allow-licenses: >-
Adobe-Glyph, Apache-1.0, Apache-1.1, Apache-2.0, Artistic-2.0, BSD-2-Clause, BSD-3-Clause,
BSD-4-Clause, 0BSD, BSL-1.0, CDDL-1.0, CDDL-1.1, CPL-1.0, CC-BY-3.0, CC-BY-4.0, CC-BY-2.5,
CC-BY-SA-3.0, CC-BY-SA-4.0, CC0-1.0, EPL-1.0, EPL-2.0, FTL, GFDL-1.3-only, IPL-1.0, ISC,
MIT, MIT-0, MPL-1.1, MPL-2.0, NTP, OpenSSL, PHP-3.01, PostgreSQL, OFL-1.1, Unlicense,
Unicode-DFS-2015, Unicode-DFS-2016, Unicode-TOU, UPL-1.0, W3C-20150513, W3C-19980720, W3C,
WTFPL, X11, Zlib, ZPL-2.1
Dash-Dependency-Check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: ./.github/actions/setup-build
- name: Download latest Eclipse Dash
run: |
curl -L https://repo.eclipse.org/service/local/artifact/maven/redirect\?r\=dash-licenses\&g\=org.eclipse.dash\&a\=org.eclipse.dash.licenses\&v\=LATEST --output dash.jar
- name: Regenerate DEPENDENCIES
run: |
# dash returns a nonzero exit code if there are libs that need review. the "|| true" avoids that
./gradlew allDependencies | grep -Poh "(?<=\s)[\w.-]+:[\w.-]+:[^:\s\[\]]+" | sort | uniq | java -jar dash.jar - -summary DEPENDENCIES-gen || true
# log warning if restricted deps are found
grep -E 'restricted' DEPENDENCIES | if test $(wc -l) -gt 0; then
echo "::warning file=DEPENDENCIES,title=Restricted Dependencies found::Some dependencies are marked 'restricted' - please review them"
fi
# log error and fail job if rejected deps are found
grep -E 'rejected' DEPENDENCIES | if test $(wc -l) -gt 0; then
echo "::error file=DEPENDENCIES,title=Rejected Dependencies found::Some dependencies are marked 'rejected', they cannot be used"
exit 1
fi
- name: Check for differences
run: |
diff DEPENDENCIES DEPENDENCIES-gen
check:
uses: eclipse-edc/.github/.github/workflows/dependency-check.yml@main
48 changes: 39 additions & 9 deletions DEPENDENCIES
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,48 +17,71 @@ maven/mavencentral/com.github.docker-java/docker-java-transport-zerodep/3.3.0, A
maven/mavencentral/com.github.docker-java/docker-java-transport/3.3.0, Apache-2.0, approved, #7942
maven/mavencentral/com.google.android/annotations/4.1.1.4, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.google.api-client/google-api-client/2.2.0, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.google.api.grpc/gapic-google-cloud-storage-v2/2.22.4-alpha, , restricted, clearlydefined
maven/mavencentral/com.google.api.grpc/grpc-google-cloud-storage-v2/2.22.4-alpha, , restricted, clearlydefined
maven/mavencentral/com.google.api.grpc/gapic-google-cloud-storage-v2/2.22.4-alpha, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.google.api.grpc/grpc-google-cloud-storage-v2/2.22.4-alpha, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.google.api.grpc/proto-google-cloud-iamcredentials-v1/2.18.0, , restricted, clearlydefined
maven/mavencentral/com.google.api.grpc/proto-google-cloud-storage-v2/2.22.4-alpha, , restricted, clearlydefined
maven/mavencentral/com.google.api.grpc/proto-google-cloud-secretmanager-v1/2.20.0, , restricted, clearlydefined
maven/mavencentral/com.google.api.grpc/proto-google-cloud-secretmanager-v1beta1/2.20.0, , restricted, clearlydefined
maven/mavencentral/com.google.api.grpc/proto-google-cloud-storage-v2/2.22.4-alpha, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.google.api.grpc/proto-google-common-protos/2.19.1, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.google.api.grpc/proto-google-common-protos/2.20.0, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.google.api.grpc/proto-google-common-protos/2.21.0, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.google.api.grpc/proto-google-iam-admin-v1/3.14.0, , restricted, clearlydefined
maven/mavencentral/com.google.api.grpc/proto-google-iam-v1/1.15.0, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.google.api.grpc/proto-google-iam-v1/1.16.0, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.google.api/api-common/2.11.1, BSD-3-Clause, approved, clearlydefined
maven/mavencentral/com.google.api/api-common/2.12.0, BSD-3-Clause, approved, clearlydefined
maven/mavencentral/com.google.api/api-common/2.13.0, BSD-3-Clause, approved, clearlydefined
maven/mavencentral/com.google.api/gax-grpc/2.28.1, BSD-3-Clause, approved, clearlydefined
maven/mavencentral/com.google.api/gax-grpc/2.29.0, BSD-3-Clause, approved, clearlydefined
maven/mavencentral/com.google.api/gax-grpc/2.30.0, BSD-3-Clause, approved, clearlydefined
maven/mavencentral/com.google.api/gax-httpjson/0.113.1, BSD-3-Clause, approved, clearlydefined
maven/mavencentral/com.google.api/gax-httpjson/0.114.0, , restricted, clearlydefined
maven/mavencentral/com.google.api/gax-httpjson/0.114.0, BSD-3-Clause, approved, clearlydefined
maven/mavencentral/com.google.api/gax-httpjson/2.30.0, BSD-3-Clause, approved, clearlydefined
maven/mavencentral/com.google.api/gax/2.28.1, BSD-3-Clause, approved, clearlydefined
maven/mavencentral/com.google.api/gax/2.29.0, BSD-3-Clause, approved, clearlydefined
maven/mavencentral/com.google.api/gax/2.30.0, BSD-3-Clause, approved, clearlydefined
maven/mavencentral/com.google.apis/google-api-services-storage/v1-rev20230301-2.0.0, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.google.auth/google-auth-library-credentials/1.16.0, BSD-3-Clause, approved, clearlydefined
maven/mavencentral/com.google.auth/google-auth-library-credentials/1.17.0, BSD-3-Clause, approved, clearlydefined
maven/mavencentral/com.google.auth/google-auth-library-credentials/1.18.0, BSD-3-Clause, approved, clearlydefined
maven/mavencentral/com.google.auth/google-auth-library-oauth2-http/1.16.0, BSD-3-Clause, approved, clearlydefined
maven/mavencentral/com.google.auth/google-auth-library-oauth2-http/1.17.0, BSD-3-Clause, approved, clearlydefined
maven/mavencentral/com.google.auth/google-auth-library-oauth2-http/1.18.0, BSD-3-Clause, approved, clearlydefined
maven/mavencentral/com.google.auto.value/auto-value-annotations/1.10.1, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.google.cloud/google-cloud-core-grpc/2.19.0, , restricted, clearlydefined
maven/mavencentral/com.google.cloud/google-cloud-core-http/2.19.0, , restricted, clearlydefined
maven/mavencentral/com.google.cloud/google-cloud-core-grpc/2.19.0, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.google.cloud/google-cloud-core-http/2.19.0, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.google.cloud/google-cloud-core/2.19.0, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.google.cloud/google-cloud-core/2.20.0, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.google.cloud/google-cloud-iamcredentials/2.18.0, , restricted, clearlydefined
maven/mavencentral/com.google.cloud/google-cloud-secretmanager/2.20.0, , restricted, clearlydefined
maven/mavencentral/com.google.cloud/google-cloud-storage/2.22.4, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.google.cloud/google-iam-admin/3.14.0, , restricted, clearlydefined
maven/mavencentral/com.google.code.findbugs/jsr305/3.0.2, Apache-2.0, approved, #20
maven/mavencentral/com.google.code.gson/gson/2.10.1, Apache-2.0, approved, #6159
maven/mavencentral/com.google.code.gson/gson/2.8.9, Apache-2.0, approved, CQ23496
maven/mavencentral/com.google.errorprone/error_prone_annotations/2.11.0, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.google.errorprone/error_prone_annotations/2.18.0, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.google.errorprone/error_prone_annotations/2.7.1, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.google.guava/failureaccess/1.0.1, Apache-2.0, approved, CQ22654
maven/mavencentral/com.google.guava/guava/29.0-android, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.google.guava/guava/30.1.1-android, Apache-2.0 AND CC0-1.0 AND LicenseRef-Public-Domain, approved, CQ23244
maven/mavencentral/com.google.guava/guava/31.0.1-android, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.google.guava/guava/31.0.1-jre, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.google.guava/guava/31.1-jre, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.google.guava/guava/32.0.1-jre, Apache-2.0 AND CC0-1.0 AND CC-PDDC, approved, #8772
maven/mavencentral/com.google.guava/listenablefuture/9999.0-empty-to-avoid-conflict-with-guava, Apache-2.0, approved, CQ22657
maven/mavencentral/com.google.http-client/google-http-client-apache-v2/1.43.1, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.google.http-client/google-http-client-appengine/1.43.1, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.google.http-client/google-http-client-gson/1.42.3, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.google.http-client/google-http-client-gson/1.43.1, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.google.http-client/google-http-client-gson/1.43.3, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.google.http-client/google-http-client-jackson2/1.43.1, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.google.http-client/google-http-client/1.42.3, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.google.http-client/google-http-client/1.43.1, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.google.http-client/google-http-client/1.43.3, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.google.j2objc/j2objc-annotations/1.3, Apache-2.0, approved, CQ21195
maven/mavencentral/com.google.j2objc/j2objc-annotations/2.8, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.google.oauth-client/google-oauth-client/1.34.1, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.google.protobuf/protobuf-java-util/3.23.1, BSD-3-Clause, approved, clearlydefined
maven/mavencentral/com.google.protobuf/protobuf-java-util/3.23.2, BSD-3-Clause, approved, clearlydefined
Expand All @@ -72,6 +95,7 @@ maven/mavencentral/com.squareup.okhttp3/okhttp/4.9.3, Apache-2.0 AND MPL-2.0, ap
maven/mavencentral/com.squareup.okio/okio-jvm/3.2.0, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.squareup.okio/okio/3.2.0, Apache-2.0, approved, clearlydefined
maven/mavencentral/commons-beanutils/commons-beanutils/1.9.4, Apache-2.0, approved, CQ12654
maven/mavencentral/commons-codec/commons-codec/1.11, Apache-2.0 AND BSD-3-Clause, approved, CQ15971
maven/mavencentral/commons-codec/commons-codec/1.15, Apache-2.0 AND BSD-3-Clause AND LicenseRef-Public-Domain, approved, CQ22641
maven/mavencentral/commons-collections/commons-collections/3.2.2, Apache-2.0, approved, CQ10385
maven/mavencentral/commons-logging/commons-logging/1.2, Apache-2.0, approved, CQ10162
Expand All @@ -82,6 +106,7 @@ maven/mavencentral/info.picocli/picocli/4.6.3, Apache-2.0, approved, clearlydefi
maven/mavencentral/io.grpc/grpc-alts/1.55.1, Apache-2.0, approved, clearlydefined
maven/mavencentral/io.grpc/grpc-api/1.55.1, Apache-2.0, approved, clearlydefined
maven/mavencentral/io.grpc/grpc-auth/1.55.1, Apache-2.0, approved, clearlydefined
maven/mavencentral/io.grpc/grpc-context/1.27.2, Apache-2.0, approved, clearlydefined
maven/mavencentral/io.grpc/grpc-context/1.55.1, Apache-2.0, approved, clearlydefined
maven/mavencentral/io.grpc/grpc-core/1.55.1, Apache-2.0, approved, clearlydefined
maven/mavencentral/io.grpc/grpc-googleapis/1.55.1, , restricted, clearlydefined
Expand All @@ -96,9 +121,9 @@ maven/mavencentral/io.grpc/grpc-xds/1.55.1, Apache-2.0, approved, clearlydefined
maven/mavencentral/io.opencensus/opencensus-api/0.31.1, Apache-2.0, approved, clearlydefined
maven/mavencentral/io.opencensus/opencensus-contrib-http-util/0.31.1, Apache-2.0, approved, clearlydefined
maven/mavencentral/io.opencensus/opencensus-proto/0.2.0, Apache-2.0, approved, clearlydefined
maven/mavencentral/io.opentelemetry.instrumentation/opentelemetry-instrumentation-annotations/1.27.0, Apache-2.0, approved, #9270
maven/mavencentral/io.opentelemetry/opentelemetry-api/1.27.0, Apache-2.0, approved, clearlydefined
maven/mavencentral/io.opentelemetry/opentelemetry-context/1.27.0, Apache-2.0, approved, clearlydefined
maven/mavencentral/io.opentelemetry.instrumentation/opentelemetry-instrumentation-annotations/1.28.0, , restricted, clearlydefined
maven/mavencentral/io.opentelemetry/opentelemetry-api/1.28.0, , restricted, clearlydefined
maven/mavencentral/io.opentelemetry/opentelemetry-context/1.28.0, , restricted, clearlydefined
maven/mavencentral/io.perfmark/perfmark-api/0.26.0, Apache-2.0, approved, clearlydefined
maven/mavencentral/jakarta.activation/jakarta.activation-api/2.1.0, EPL-2.0 OR BSD-3-Clause OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.jaf
maven/mavencentral/jakarta.annotation/jakarta.annotation-api/2.1.1, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.ca
Expand Down Expand Up @@ -127,12 +152,15 @@ maven/mavencentral/org.bouncycastle/bcprov-jdk18on/1.75, MIT AND CC0-1.0, approv
maven/mavencentral/org.bouncycastle/bcutil-jdk18on/1.75, MIT, approved, #9170
maven/mavencentral/org.checkerframework/checker-qual/3.12.0, MIT, approved, clearlydefined
maven/mavencentral/org.checkerframework/checker-qual/3.32.0, MIT, approved, clearlydefined
maven/mavencentral/org.checkerframework/checker-qual/3.33.0, MIT, approved, clearlydefined
maven/mavencentral/org.codehaus.mojo/animal-sniffer-annotations/1.23, MIT, approved, clearlydefined
maven/mavencentral/org.conscrypt/conscrypt-openjdk-uber/2.5.2, Apache-2.0, approved, clearlydefined
maven/mavencentral/org.eclipse.edc/aggregate-service-spi/0.1.4-SNAPSHOT, Apache-2.0, approved, technology.edc
maven/mavencentral/org.eclipse.edc/autodoc-processor/0.1.4-SNAPSHOT, Apache-2.0, approved, technology.edc
maven/mavencentral/org.eclipse.edc/boot/0.1.4-SNAPSHOT, Apache-2.0, approved, technology.edc
maven/mavencentral/org.eclipse.edc/catalog-spi/0.1.4-SNAPSHOT, Apache-2.0, approved, technology.edc
maven/mavencentral/org.eclipse.edc/connector-core/0.1.4-SNAPSHOT, Apache-2.0, approved, technology.edc
maven/mavencentral/org.eclipse.edc/contract-spi/0.1.4-SNAPSHOT, Apache-2.0, approved, technology.edc
maven/mavencentral/org.eclipse.edc/control-plane-api-client-spi/0.1.4-SNAPSHOT, Apache-2.0, approved, technology.edc
maven/mavencentral/org.eclipse.edc/core-spi/0.1.4-SNAPSHOT, Apache-2.0, approved, technology.edc
maven/mavencentral/org.eclipse.edc/data-plane-core/0.1.4-SNAPSHOT, Apache-2.0, approved, technology.edc
Expand All @@ -150,10 +178,12 @@ maven/mavencentral/org.eclipse.edc/policy-engine-spi/0.1.4-SNAPSHOT, Apache-2.0,
maven/mavencentral/org.eclipse.edc/policy-engine/0.1.4-SNAPSHOT, Apache-2.0, approved, technology.edc
maven/mavencentral/org.eclipse.edc/policy-evaluator/0.1.4-SNAPSHOT, Apache-2.0, approved, technology.edc
maven/mavencentral/org.eclipse.edc/policy-model/0.1.4-SNAPSHOT, Apache-2.0, approved, technology.edc
maven/mavencentral/org.eclipse.edc/policy-spi/0.1.4-SNAPSHOT, Apache-2.0, approved, technology.edc
maven/mavencentral/org.eclipse.edc/runtime-metamodel/0.1.4-SNAPSHOT, Apache-2.0, approved, technology.edc
maven/mavencentral/org.eclipse.edc/transaction-datasource-spi/0.1.4-SNAPSHOT, Apache-2.0, approved, technology.edc
maven/mavencentral/org.eclipse.edc/transaction-spi/0.1.4-SNAPSHOT, Apache-2.0, approved, technology.edc
maven/mavencentral/org.eclipse.edc/transfer-spi/0.1.4-SNAPSHOT, Apache-2.0, approved, technology.edc
maven/mavencentral/org.eclipse.edc/transform-core/0.1.4-SNAPSHOT, Apache-2.0, approved, technology.edc
maven/mavencentral/org.eclipse.edc/transform-spi/0.1.4-SNAPSHOT, Apache-2.0, approved, technology.edc
maven/mavencentral/org.eclipse.edc/util/0.1.4-SNAPSHOT, Apache-2.0, approved, technology.edc
maven/mavencentral/org.eclipse.edc/validator-spi/0.1.4-SNAPSHOT, Apache-2.0, approved, technology.edc
Expand Down
8 changes: 8 additions & 0 deletions extensions/common/vault/vault-gcp/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
# GCP Secret Manager Vault

The vault-gcp extension is an implementation of the Vault interface based on GCP Secret Manager.
Arbitrary key names are possible through the key sanitation feature.

## Decisions
- Secrets will not be overwritten if they exist to prevent potential leakage of credentials to third parties.
- Keys strings are sanitized to comply with key requirements of AWS Secrets Manager. Sanitizing replaces all illegal characters with '-' and appends the hash code of the original key to minimize the risk of key collision after the transformation, because the replacement operation is a many-to-one function. A warning will be logged if the key contains illegal characters.
25 changes: 25 additions & 0 deletions extensions/common/vault/vault-gcp/build.gradle.kts
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
/*
* Copyright (c) 2023 Google LLC
*
* This program and the accompanying materials are made available under the
* terms of the Apache License, Version 2.0 which is available at
* https://www.apache.org/licenses/LICENSE-2.0
*
* SPDX-License-Identifier: Apache-2.0
*
* Contributors:
* Google LCC - Initial implementation
*
*/

plugins {
`java-library`
}

dependencies {
api(libs.edc.spi.core)

implementation(libs.edc.util)
implementation(libs.googlecloud.core)
implementation(libs.googlecloud.secretmanager)
}
Loading

0 comments on commit c4e9db1

Please sign in to comment.